Social Engineering - Christopher Hadnagy [55]
He had to also be smooth enough to not raise suspicion.
This pretext had to be meticulously planned out with the utmost detail being thought through. It wasn’t until he visited a former associate that his pretext failed, and he was caught. When he was caught, people who knew him were amazed and some even said things like, “There is no way he is a thief; everyone loves Mark.”
Obviously his pretext was solid. He had a well-thought-out, and one would guess, well-rehearsed plan. He knew what he was there to do and he played the part perfectly. When he was in front of strangers he was able to play the part; his downfall came when he was with a colleague who knew him, and that colleague saw a news story then put two and two together and turned Mark in.
Amazingly enough, while out on bail, Rifkin began to target another bank using the same scheme, but a government mole had set him up; he got caught and spent eight years in federal prison. Although Mark is a “bad guy” you can learn much about pretexting from reading his story. He kept it very simple and used the things that were familiar to him to build a good storyline.
Mark’s plan was to steal the money and turn it into an untraceable commodity: diamonds. To do so he would first need to be a bank employee to steal the money, then a major diamond buyer to unload the cash, and finally sell the diamonds to have usable, untraceable cash in his pocket.
Although his pretext did not involve elaborate costumes or speech patterns he had to play the part of a bank employee, then major diamond buyer, then play the part of a diamond seller. He changed roles maybe three, four, or five times in this gig and was able to do it well enough to fool almost everyone.
Mark knew who his targets were and approached the scenario with all the principles outlined earlier. Of course, one can’t condone what he did, but his pretexting talents are admirable. If he put his talents to good use he would probably make a great public figure, salesperson, or actor.
Example 2: Hewlett-Packard
In 2006 Newsweek published a very interesting article (www.social-engineer.org/resources/book/HP_pretext.htm). Basically, HP’s chairwoman, Patricia Dunn, hired a team of security specialists who hired a team of private investigators who used pretexting to obtain phone records. These hired professionals actually got in and played the roles of HP board members and parts of the press. All of this was done to uncover a supposed information leak within the ranks at HP.
Ms. Dunn wanted to obtain the phone records of board members and reporters (not the records from the HP facilities, but the personal home and cell phone records of these people) to verify where she supposed the leak was. The Newsweek article states:
On May 18, at HP headquarters in Palo Alto, California, Dunn sprung her bombshell on the board: She had found the leaker. According to Tom Perkins, an HP director who was present, Dunn laid out the surveillance scheme and pointed out the offending director, who acknowledged being the CNET leaker. That director, whose identity has not yet been publicly disclosed, apologized. But the director then said to fellow directors, “I would have told you all about this. Why didn’t you just ask?” That director was then asked to leave the boardroom, and did so, according to Perkins.
What is notable about this account is what is next mentioned about the topic of pretexting:
The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director-leaker to CNET through a controversial practice called “pretexting”; Newsweek obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using “false pretenses” to get another individual’s personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security numbers